HTTP Strict Transport Security (HSTS)
HSTS improves security by requiring all browser connections to use HTTPS rather than HTTP.
Why you need it
HSTS delivers the following benefits:
- Mitigates the risk of sensitive data leaking out unencrypted.
- Improves data integrity. HTTPS mitigates the risk of man-in-the-middle attacks because your website’s encryption certificate is validated by the end-user's browser.
How it works
HSTS instructs the browser to use HTTPS when making requests to your website. The browser remembers this instruction for an amount of time that you set, so the next time a user visits your website, their browser will use HTTPS.
HSTS works through the use of the Strict-Transport-Security
response header. Once a browser receives this header, it prevents sending any communications over HTTP to the specified domain, and sends it all over HTTPS instead. Insecure HTTP links are converted to secure HTTPS links. For example, http://example.com/some/page/
is converted to https://example.com/some/page/
before accessing the server. If the security of the connection can’t be ensured (for example, the server's TLS certificate isn't trusted), the user sees an error message and can't access the site.
When you implement HSTS, your site will no longer accept any requests made using HTTP. Make sure that your site and subdomains are fully tested using HTTPS and that there are no situations where your domain needs to send data over HTTP. To test the configuration, see Test HTTP Strict Transport Security (HSTS).
Features and options
The table discusses the options available. Make sure you review the full Implementation section to ensure you're setting up HSTS properly.
Field | What it does |
---|---|
Enable | Turns the HTTP Strict Transport Security (HSTS) behavior on or off. |
Max age | Specifies the maximum length of time that all browsers connect to your site using HTTPS. Changing the value of Max age affects new connections only. Browsers that connected prior to the update continue to use the Max age in effect at the time. You can select from these options:
|
Include all subdomains | Specifies whether all subdomains are required to use HTTPS. This includes any intranet or delegated hosts in the domain that connect through Akamai. |
Preload | Adds the domain to the browser’s preload list that’s hardcoded into Google Chrome, and other browsers that have preload lists based on the Chrome list. You still need to declare the domain at hstspreload.org. The presence of your domain in the preload list means that a browser will connect using HTTPS from the very first attempt, protecting against bootstrap man-in-the-middle attacks. If your domain isn’t in the preload list, the initial connection from a browser will use HTTP, after which your site will send the HSTS header to the browser, requiring it to connect using HTTPS.
|
Redirect all HTTP requests to HTTPS | When enabled, redirects all HTTP requests to HTTPS. If you do not configure your site to redirect HTTP requests, all connections using HTTP will be ignored. You can select from these options:
|
Implementation
When you implement HSTS, there’s a risk that the system will deny access to users when HSTS isn’t configured correctly. For example, your domain may have absolute links or subdomains that will become inaccessible after you configure the domain to require the use of HTTPS. Because of this risk, and the difficulty in reversing the requirement to force connections to use HTTPS, you can configure two rules in the domain’s property that will let you turn HSTS on and off using queries in the requests to the domain.
To implement HSTS for a domain, you need to
- Verify that the domain is configured to support HSTS.
- Configure rules and behaviors that will allow you to turn on and turn off HSTS by sending requests from your browser to the domain.
- Test HSTS in a staging network before implementing it in production.
Make sure the domain supports HSTS
Before you begin implementing HSTS on a domain, make sure that the domain:
- Requires HTTPS. Make sure that the property has a Redirect to HTTPS rule configured with the Redirect Status Code set to 301 Moved Permanently.
- Uses a certificate that includes the hostnames and subdomains. Browsers will not allow you to ignore certificate errors and will cause the TLS handshake to fail, making the site inaccessible to end users.
- Doesn’t use any absolute HTTP paths for links or subdomains. After you implement HSTS, absolute paths will be inaccessible.
Limitations on use
If you want to use HSTS, you can't include the following behaviors in any rule that would be applied to the same request:
- HTTP to HTTPS Upgrade
- HTTPS Cache Key Sharing
- Protocol Downgrade (HTTPS Downgrade to Origin)
- Protocol Downgrade (Legacy)
Add rules to enable or disable HSTS
You can add these rules to turn HSTS on and off, based on requests sent from a browser to your domain.
1 - Add a rule to turn on HSTS
First, add a new rule to your property to turn HSTS on:
-
In Property Manager Editor, click Add Rule.
-
Select Blank Rule Template from the Available Rules list.
-
In the Blank Rule Template field, enter Set HSTS as the name for this rule and then click Insert Rule.
-
Click Add Match.
-
Set the If panel options:
- Select Query String Parameter from the first field. For more details, see Query String Parameter.
- Enter aka-hsts-max-age in the Enter name field.
- Select Is one of from the list.
- Enter 86400 in the Select Items field. (86400 seconds = 1 day).
-
Click Add Behavior.
-
In the Search available behaviors field, type "HTTP Strict", select HTTP Strict Transport Security (HSTS), and click Insert Behavior.
-
Set the following options in the behavior:
- Max Age. Set to 1 day.
- Include all subdomains. Enable this.
- Preload. Enable this.
- Redirect all HTTP requests to HTTPS. Enable this.
2 - Add a rule to turn off HSTS
Add a second rule to your property to turn HSTS off:
-
Click Add Rule.
-
Select Blank Rule Template from the Available Rules list.
-
In the Blank Rule Template field, enter Override HSTS as the name for this rule and then click Insert Rule.
-
Click Add Match.
-
Set the If panel options:
- Select Query String Parameter from the first field.
- Enter aka-hsts-max-age in the Enter name field.
- Select Is one of from the list.
- Enter 0 in the Select Items field.
-
Click Add Behavior.
-
In the Search available behaviors field, type "Modify", select Modify Outgoing Response Header, and click Insert Behavior. For more details, see Modify Outgoing Response Header.
-
Set the following options in this behavior:
- Action. Select Remove.
- Select Header Name. Select Other...
- Customer Header Name. Enter Strict-Transport-Security.
-
Click Add Behavior to add a second behavior.
-
In the Search available behaviors field, type "Modify", select Modify Outgoing Response Header, and click Insert Behavior.
-
Set the following options in this behavior:
- Select Header Name. Select Other...
- Customer Header Name. Enter Strict-Transport-Security.
- Header Value. Enter max-age=0.
-
Save your property.
Test HSTS
Test your HSTS configuration in a staging network before implementing HSTS in your production environment.
In the staging environment, you’ll use the Set HSTS and Override HSTS rules to turn HSTS on and off, so that you can verify that the domain is configured correctly.
In the production environment, you must remove the ability to configure HSTS using the Set HSTS and Override HSTS rules. Leaving these rules in place would allow anyone who sends a request that includes the query string
path?aka-hsts-max-age=
to turn HSTS on and off on your domain.
Test HSTS on staging
-
Turn on HSTS by sending the following request to your domain:
http://{yourdomain}/path?aka-hsts-max-age=86400
. -
Verify that connections to the domain are using HTTPS and that all links and subdomains are accessible via HTTPS.
-
Turn off HSTS by sending the following request to your domain:
http://{yourdomain}/path?aka-hsts-max-age=0
. -
Repeat these steps until you’re satisfied that the domain is configured correctly.
Test HSTS on production
As part of testing in the production environment, you need to remove the ability to configure HSTS using the Set HSTS and Override HSTS rules. Leaving these rules in place would allow anyone who sends a request that includes the query string path?aka-hsts-max-age=
to enable or disable HSTS on your domain.
-
Click the Override HSTS rule, then select Delete from the Settings.
-
In the Confirm Delete dialog box, click Yes.
-
In Property Manager Editor, click the Set HSTS rule.
-
Delete the match criteria from the rule.
-
Click Save. The HTTP Strict Transport Security (HSTS) behavior that you configured in the rule now applies to the entire domain.
-
Leave Max Age set to 1 day for at least a week. During this time, ensure that connections to your domain are using HTTPS and that all links and subdomains are accessible via HTTPS.
-
When you’re satisfied that the domain is configured correctly, edit the behavior to increase the Max Age to a number of days meets your needs.
-
If you want to include your domain in the HSTS preload list, select Preload.
-
Click Save.
Next steps
If you want to include the domain in the HSTS preload list, go to https://hstspreload.org/ and submit the domain.
Updated 7 months ago